How Lemlist Achieved SOC2 Type 2 Compliance

Company Overview

Lemlist is a Sales Engagement Platform that helps go-to-market teams personalize and scale outreach across thousands of prospects. As their customer base grew to include enterprise clients with strict security requirements, SOC2 Type 2 compliance became a critical barrier to closing major deals. Without certification, they were locked out of conversations with regulated industries and large organizations.

The Challenge

Navigating Multi-Cloud Complexity While Maintaining Velocity

• Governance was solid operationally, but not yet aligned with SOC2's formal audit structure: Lemlist's infrastructure spans across multiple clouds, each with different configuration models and security requirements. Understanding what each provider needed, proving compliance across all, and keeping configurations aligned was a puzzle the team hadn't solved before.

• Policy review and approval at scale: With docs already established, the team had raw material but no way to efficiently review, approve, and maintain policies collaboratively. Notion-based feedback loops were clunky, and they needed a structured way to iterate.

• Resolving technical gaps while learning compliance language: Questions like "Is [provider] enough for user access management?" and "Do we really need weekly patches for baremetal servers?" highlighted the need for clarity on auditor expectations.

The Solution

A Pragmatic Approach: Streamlined Reviews, Practical Policies, Real Clarity

• Efficient policy curation and customization: Instead of starting from scratch, Bastion reviewed Lemlist's existing policies, identified what was relevant to SOC2, and uploaded a curated set. The team could then focus on approving and adapting policies rather than writing from blank pages.

• Multi-cloud configuration guidance: Bastion's team helped navigate the specifics of different clouds, setup, answering concrete questions like "What would you recommend for this control given our multi-cloud set up" and "How do I handle parking IPs and scope exclusions?" This removed the guesswork.

• Trunk-based development alignment: Rather than adjusting their process to satisfy an audit format, Bastion helped the team articulate how their trunk-based workflow is built on strong engineering and security foundations. They documented how this approach inherently fulfills the intent of change-management controls and maps naturally to SOC 2 requirements.

• Collaborative policy iteration: Bastion provided a clear path for policy review and approval, helping the team move from scattered Notion comments to a structured process where they could track changes, approvals, and ownership by role.

• Right-first-time compliance: Bastion worked with the team to establish a risk register that aligns seamlessly with their policies and operational practices, creating a clear and defensible foundation for audits. They also implemented structured, audit-ready evidence standards—such as consistent screenshots, meeting records, and risk documentation—to reduce the risk of evidence rejection and eliminate unnecessary back-and-forth with auditors.

The Impact

Compliance Achieved with Real-World Pragmatism

• SOC2 Type 2 audit completed without exception and validated across multi-cloud infrastructure
• Multi-cloud configuration fully documented and compliant without rearchitecting
• Policy library operationalized with clear ownership by role and a sustainable approval process
• First audit passed without critical findings, enabling immediate customer conversations about security posture

Lemlist transformed a complex multi-cloud compliance challenge into a competitive advantage. By achieving SOC2 Type 2 certification on their own terms—without upending their development practices—they unlocked enterprise conversations and proved they could scale securely alongside their customers.